-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Reference: CERT-EU Security Advisory 2013-0023
Title: JBoss Enterprise Application Platform 5.2.0 security update [1]
Version history:
19.02.2013 Initial publication
Summary
=======
Updated JBoss Enterprise Application Platform 5.2.0 packages that fix two security issues.
The Red Hat Security Response Team has rated this update as having important security impact.
CVE numbers [2]: CVE-2012-5633 CVE-2012-3451
Affected Versions
=================
JBoss Enterprise Application Platform 5.2.0
Original Details
================
Security fixes:
If web services were deployed using Apache CXF with the WSS4JInInterceptor
enabled to apply WS-Security processing, HTTP GET requests to these
services were always granted access, without applying authentication
checks. The URIMappingInterceptor is a legacy mechanism for allowing
REST-like access (via GET requests) to simple SOAP services. A remote
attacker could use this flaw to access the REST-like interface of a simple
SOAP service using GET requests that bypass the security constraints
applied by WSS4JInInterceptor. This flaw was only exploitable if
WSS4JInInterceptor was used to apply WS-Security processing. Services that
use WS-SecurityPolicy to apply security were not affected. (CVE-2012-5633)
It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks
under certain conditions. If web services were exposed via Apache CXF that
use a unique SOAPAction for each service operation, then a remote attacker
could perform SOAPAction spoofing to call a forbidden operation if it
accepts the same parameters as an allowed operation. WS-Policy validation
was performed against the operation being invoked, and an attack must pass
validation to be successful. (CVE-2012-3451)
What can you do?
================
This update is available via the Red Hat Network. [3]
What to tell your users
=======================
N/A
More information
================
[1]
https://rhn.redhat.com/errata/RHSA-2013-0256.html
[2]
https://www.redhat.com/security/data/cve/CVE-2012-3451.html
https://www.redhat.com/security/data/cve/CVE-2012-5633.html
[3]
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.2.0
Best regards,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJRI7FXAAoJEPpzpNLI8SVo9dcP/j1xsKoGC3S/LGza5wKB9Tfm
jSoXIbkHv5xMaZOonsEFW9S1SCw2nyEYB85Jvjci7FXUtkkQb4y+wOCB+SCKdMwo
Ovg4GwnV6NJy/xFklYGO7Wz2va+UnU+YJoSLBHJuwLxseSpDTeuOKibj1crO2AiP
+9h/UCXhFrmnhdjhaXv/f/oQrajLL4PWUlPdGBQwFIv2VqCIs+ZNBbiyuSL1+QxG
Z4qDwVKcmc3bspdO4+cQxe8OwVWQM0iSbmoCKjAuCZ9K4mHp86TibQFHjoPaJt/n
mqHqs/+lMjWuO6HpYke/C28oGGTCdzw+ASS/uLb2ivF4LKbbPHsH9yd2BTIX54ra
YhGf8XnFzxYBelXHAo2Mnrului5A6k5Sqe4Jgj4q3LZpLBmyn1MmMhcD7o2mxJMS
Dvs7aHCpX23oVM99sm4C3OseHC191zx4Xid9pEXN0qcEUk8kBM9skTFJo7qnYBmF
E7EF8hQQci9lA8ITyLZ/rmsa2tR+egu0C2ieLqHtjbcNuh2EYxi4QHludbbg9Jpj
UHaXUb3Y83M/YFd5y3OPhWaVjusAnPQJD68hG+660UFy2Pj42AbiM+Qa1/yh77cs
fPxNEYsXkbpIjBhDoJ8UARh9WyMmCogrjTmf2Kp7zaGX9IEMPq82d0b/MdF4NPy8
yihdAG2cgky29Elh5Ihc
=LXjw
-----END PGP SIGNATURE-----